SANSFIRE 2014

How to Spy on your Employees with Memory Forensics

Alissa Torres

Thursday, June 26th, 7:15pm - 8:15pm

Many companies can't afford employee endpoint monitoring software such as SpectorPro, and yet still have the need to figure out how a rogue employee is spending his time on the job. Consider a cheaper solution for employee spying- one that makes use of native Windows services and an investigator's ninja memory analysis skills. Whether it be creating a scheduled task to send a machine to hibernate or instantiating an unsuspected memory dump, targeted employee spying can be done on the cheap. Through process enumeration, browsing history reconstruction and memory-mapped file extraction, watch as your presenters piece together what our trusted insider was doing on their company computer, unbeknownst to his boss. Even if you don't have the need to covertly investigate a rogue employee (yet), this talk will arm you the knowledge to know what is within the realm of the possible.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.

Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.